Techniques for code intent discovery
Abstract
A system and method for detecting code intent of code objects in a computing environment for assessing cybersecurity risk is presented. The method includes detecting a plurality of code objects in a computing environment; statically analyzing each code object of the plurality of code objects to determine a plurality of potential intents, each potential intent corresponding to an action; generating a cybersecurity signal in the computing environment based on a plurality of event records; detecting in the cybersecurity signal a first event corresponding to a potential intent; determining that the potential intent is a code intent based on the detection; detecting in the cybersecurity signal a second event which does not correspond to any potential intent; and initiating a remediation action in the computing environment based on the detected second event.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for detecting code intent of code objects in a computing environment for assessing cybersecurity risk, comprising:
detecting, based on inspection of an inspectable disk, a plurality of code objects in a computing environment; statically analyzing each code object of the plurality of code objects to determine a plurality of potential code intents, each potential code intent corresponding to an action; generating a cybersecurity signal in the computing environment based on a plurality of event records; detecting in the cybersecurity signal a first event corresponding to a potential code intent; determining that the potential code intent is a code intent based on the detection of the first event corresponding to a potential code intent; detecting in the cybersecurity signal a second event which does not correspond to any potential code intent; and initiating a remediation action in the computing environment based on the detected second event.
2 . The method of claim 1 , further comprising:
detecting the plurality of code objects in a code repository of the computing environment, wherein the code repository is configured to store a plurality of versions of each code object.
3 . The method of claim 1 , further comprising:
generating a call graph based on the static analysis of each code object of the plurality of code objects.
4 . The method of claim 1 , further comprising:
receiving an event from a runtime sensor, the runtime sensor deployed on a resource and configured to detect runtime event data on the resource; and generating the cybersecurity signal based on the received event.
5 . The method of claim 1 , further comprising:
detecting an event in a log of the computing environment; and generating the cybersecurity signal based on the detected event.
6 . The method of claim 5 , wherein the log is any one of: a cloud log, a network log, an event log, a runtime execution log, or any combination thereof.
7 . The method of claim 1 , further comprising:
detecting a resource in the computing environment, wherein the resource utilizes an application, the application based on a code object of the plurality of code objects; determining that the second event is associated with the application based on an identifier of the application in a record of the second event; and determining that the second event does not correspond to any potential code intent associated with the code object of the application.
8 . The method of claim 7 , further comprising:
initiating the remediation action based on the application.
9 . The method of claim 8 , further comprising:
initiating the remediation action on the resource.
10 . A non-transitory computer-readable medium storing a set of instructions for detecting code intent of code objects in a computing environment for assessing cybersecurity risk, the set of instructions comprising:
one or more instructions that, when executed by one or more processing circuitries of a device, cause the device to:
detect based on inspection of an inspectable disk, a plurality of code objects in a computing environment;
statically analyze each code object of the plurality of code objects to determine a plurality of potential code intents, each potential code intent corresponding to an action;
generate a cybersecurity signal in the computing environment based on a plurality of event records;
detect in the cybersecurity signal a first event corresponding to a potential code intent;
determine that the potential code intent is a code intent based on the detection of the first event corresponding to a potential code intent;
detect in the cybersecurity signal a second event which does not correspond to any potential code intent; and
initiate a remediation action in the computing environment based on the detected second event.
11 . A system for detecting code intent of code objects in a computing environment for assessing cybersecurity risk comprising:
one or more processing circuitries configured to: detect, based on inspection of an inspectable disk, a plurality of code objects in a computing environment; statically analyze each code object of the plurality of code objects to determine a plurality of potential code intents, each potential code intent corresponding to an action; generate a cybersecurity signal in the computing environment based on a plurality of event records; detect in the cybersecurity signal a first event corresponding to a potential code intent; determine that the potential code intent is a code intent based on the detection of the first event corresponding to a potential code intent; detect in the cybersecurity signal a second event which does not correspond to any potential code intent; and initiate a remediation action in the computing environment based on the detected second event.
12 . The system of claim 11 , wherein the one or more processing circuitries are further configured to:
detect the plurality of code objects in a code repository of the computing environment, wherein the code repository is configured to store a plurality of versions of each code object.
13 . The system of claim 11 , wherein the one or more processing circuitries are further configured to:
generate a call graph based on the static analysis of each code object of the plurality of code objects.
14 . The system of claim 11 , wherein the one or more processing circuitries are further configured to:
receive an event from a runtime sensor, the runtime sensor deployed on a resource and configured to detect runtime event data on the resource; and generate the cybersecurity signal based on the received event.
15 . The system of claim 11 , wherein the one or more processing circuitries are further configured to:
detect an event in a log of the computing environment; and generate the cybersecurity signal based on the detected event.
16 . The system of claim 15 , wherein the log is any one of:
a cloud log, a network log, an event log, a runtime execution log, or any combination thereof.
17 . The system of claim 11 , wherein the one or more processing circuitries are further configured to:
detect a resource in the computing environment, wherein the resource utilizes an application, the application based on a code object of the plurality of code objects; determine that the second event is associated with the application based on an identifier of the application in a record of the second event; and determine that the second event does not correspond to any potential code intent associated with the code object of the application.
18 . The system of claim 17 , wherein the one or more processing circuitries are further configured to:
initiate the remediation action based on the application.
19 . The system of claim 18 , wherein the one or more processing circuitries are further configured to:
initiate the remediation action on the resource.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.